1
Users / VPN (Need a place for my notes)
« on: January 29, 2014, 03:52:50 pm »
Hi all,
I am trying to make VPN work, and i just need a place to put my notes, and perhaps sometimes some help/advice/testers
I dont have a lot of time, and my head is filled with a lot of things lately, so thats why i dump this here
This is what i know for now:
VPN is working if the Core has a public addressable IP, ie not 192.168.x.x, 10.x.x.x, 172.16.x.x
It is working with and without NAT, (protocol 50 or udp port 4500)
What you need to make it work:
In firewall, allow udp 500, udp 4500, and ip 50 (protocol 50)
And you need to accept 1701 out of the IPSEC tunnel:
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
There needs to be a ppp-up script that allows the remote end in iptables. Next time i work on VPN, i'll try to make it.
could be that just ifup ppp0 is enough -> need to test
It's possible that for devices to use 'internet' over VPN masquerading is needed:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.0/24 -j MASQUERADE
Conclusions:
- If VPN is working internally, it is working with a public outside ip
- Is setup with a private outside ip, 1701 traffic doesn't want to go through the ipsec tunnel, and thus failing
This could be because i have only tested this with android clients, i need to try with windows, or mac (or linux)
- It's easiest to setup with firewall disabled.
- There is still some work that need to be done on scripting and automatic adding of firewall rules.
Anton
I am trying to make VPN work, and i just need a place to put my notes, and perhaps sometimes some help/advice/testers
I dont have a lot of time, and my head is filled with a lot of things lately, so thats why i dump this here
This is what i know for now:
VPN is working if the Core has a public addressable IP, ie not 192.168.x.x, 10.x.x.x, 172.16.x.x
It is working with and without NAT, (protocol 50 or udp port 4500)
What you need to make it work:
In firewall, allow udp 500, udp 4500, and ip 50 (protocol 50)
And you need to accept 1701 out of the IPSEC tunnel:
iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
There needs to be a ppp-up script that allows the remote end in iptables. Next time i work on VPN, i'll try to make it.
could be that just ifup ppp0 is enough -> need to test
It's possible that for devices to use 'internet' over VPN masquerading is needed:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.80.0/24 -j MASQUERADE
Conclusions:
- If VPN is working internally, it is working with a public outside ip
- Is setup with a private outside ip, 1701 traffic doesn't want to go through the ipsec tunnel, and thus failing
This could be because i have only tested this with android clients, i need to try with windows, or mac (or linux)
- It's easiest to setup with firewall disabled.
- There is still some work that need to be done on scripting and automatic adding of firewall rules.
Anton